Bug 1766378 (CVE-2019-11043) - CVE-2019-11043 php: underflow in env_path_info in fpm_main.c
Summary: CVE-2019-11043 php: underflow in env_path_info in fpm_main.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1766379 1766588 1766589 1766590 1766591 1766592 1766593 1766594 1766599 1766600 1766601 1766602 1766603 1766604 1766644 1766645 1771940 1840076
Blocks: 1766380
TreeView+ depends on / blocked
 
Reported: 2019-10-28 21:13 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-10-06 18:43 UTC (History)
16 users (show)

Fixed In Version: php 7.3.11, php 7.2.24, php 7.1.33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-31 18:51:33 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3726 0 None None None 2019-11-06 10:10:54 UTC
Red Hat Product Errata RHBA-2019:3727 0 None None None 2019-11-06 10:12:54 UTC
Red Hat Product Errata RHBA-2019:3728 0 None None None 2019-11-06 11:55:49 UTC
Red Hat Product Errata RHSA-2019:3286 0 None None None 2019-10-31 17:33:19 UTC
Red Hat Product Errata RHSA-2019:3287 0 None None None 2019-10-31 17:32:41 UTC
Red Hat Product Errata RHSA-2019:3299 0 None None None 2019-11-01 13:01:14 UTC
Red Hat Product Errata RHSA-2019:3300 0 None None None 2019-11-01 13:03:42 UTC
Red Hat Product Errata RHSA-2019:3724 0 None None None 2019-11-06 09:38:26 UTC
Red Hat Product Errata RHSA-2019:3735 0 None None None 2019-11-06 13:48:26 UTC
Red Hat Product Errata RHSA-2019:3736 0 None None None 2019-11-06 13:48:37 UTC
Red Hat Product Errata RHSA-2020:0322 0 None None None 2020-02-03 21:28:22 UTC
Red Hat Product Errata RHSA-2020:2835 0 None None None 2020-07-07 10:15:52 UTC

Description Guilherme de Almeida Suckevicz 2019-10-28 21:13:43 UTC
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Upstream bug:

https://bugs.php.net/bug.php?id=78599

Upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a

Comment 1 Guilherme de Almeida Suckevicz 2019-10-28 21:14:00 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1766379]

Comment 4 Remi Collet 2019-10-29 08:00:01 UTC
Notice: this issue only affects NGINX + PHP users.

Affected nginx configuration can be fixed, some details in upstream (php) bug 78599 report

Comment 20 Marco Benatto 2019-10-29 19:56:57 UTC
There's an issue when running php-fpm on nginx web server. The nginx configuration allow the user to choose which portions of the request received will be handled as the script to be run and which one will be extra data, this is done using regular expression via fastcgi_param fastcgi_split_path_info. When setting fastcgi_split_path_info with the regex '^(.+?\.php)(/.*)$;' some requests may cause out of bound write due to an underflow caused by weak path validation on init_request_info() function. An attack can leverage this bug by created specially crafted requests which will trigger the problem, as consequence, the attacker can corrupt memory information, cause php-fpm to crash and cause remote code execution.

This flaw has a high impact for confidentiality, availability, and integrity.

Comment 26 Doran Moppert 2019-10-29 23:34:04 UTC
Mitigation:

1)  Check your nginx configuration files, specially the ones related to php-fpm for presence of pattern bellow on fastcgi_split_path_info regex and PATH_INFO parameter:

~~~
     fastcgi_split_path_info     ^(.+?\.php)(/.*)$;
     fastcgi_param    PATH_INFO  $fastcgi_path_info;
~~~

2) If fastcgi_split_path_info regex matches with the one above, for each fastcgi_param PATH_INFO entry perform the following change:

~~~
     fastcgi_param    PATH_INFO  $fastcgi_path_info if_not_empty;
~~~

This step will allow you to safely continue using PATH_INFO parameter while the patch is not applied.

3) Restart your nginx instance:

~~~
     systemctl restart nginx
~~~

Comment 28 Marco Benatto 2019-10-30 14:47:24 UTC
External References:

https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/

Comment 33 errata-xmlrpc 2019-10-31 17:32:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3287 https://access.redhat.com/errata/RHSA-2019:3287

Comment 34 errata-xmlrpc 2019-10-31 17:33:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3286 https://access.redhat.com/errata/RHSA-2019:3286

Comment 35 Product Security DevOps Team 2019-10-31 18:51:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11043

Comment 36 Marco Benatto 2019-10-31 20:17:01 UTC
There are some preconditions that should be met in order to the attack works:

1) The script should be forwarded to php-fpm, so the requested location should match for the location's regex on nginx configuration file;
2) fastcgi_split_path_info directive's regular expression should start with '^' and end with '$';
3) The PATH_INFO variable should be assigned at some point looking like:
       fastcgim_param PATH_INFO $fastcgi_path_info;
   and SCRIPT_FILENAME variable should be set at some point in all configuration files for the given location as shown bellow:
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
4) The files existence are not checked on configuration files (directives like try_files or if(-f $uri) are not used);

Comment 37 errata-xmlrpc 2019-11-01 13:01:12 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299

Comment 38 errata-xmlrpc 2019-11-01 13:03:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:3300 https://access.redhat.com/errata/RHSA-2019:3300

Comment 39 Eric Christensen 2019-11-04 17:47:48 UTC
Statement:

This issue only affects instances running php-fpm under nginx server software as environment paths and parameters are handled by different code pieces depending on the server php-fpm is running under. The code where this issue is found is used exclusively when php-fpm detects the request came through an nginx server.

Red Hat Product Security team rated this issue as having a Critical security impact as an attacker may take advantage from the existing bug to cause Remote Code Execution on network exposed software.

Comment 41 errata-xmlrpc 2019-11-06 09:38:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3724 https://access.redhat.com/errata/RHSA-2019:3724

Comment 42 errata-xmlrpc 2019-11-06 13:48:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3735 https://access.redhat.com/errata/RHSA-2019:3735

Comment 43 errata-xmlrpc 2019-11-06 13:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3736 https://access.redhat.com/errata/RHSA-2019:3736

Comment 55 errata-xmlrpc 2020-02-03 21:28:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0322 https://access.redhat.com/errata/RHSA-2020:0322

Comment 59 errata-xmlrpc 2020-07-07 10:15:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2835 https://access.redhat.com/errata/RHSA-2020:2835


Note You need to log in before you can comment on or make changes to this bug.